06/11/2021, 9:44 AM
Hey, I've got a question about resource chaining and dependencies. My code is about base infrastructure setup of an aws account with all the usual suspects like vpc, subnets, routing. First special resource is an organizational transit gateway setup. For this I have to create an IAM role which I assume by creating a provider resource and using this I create a second provider which assumes a role in a second account and there some route table operations are configured. So far, so good .. Now I have the need to do some vpc peerings and like above I have the propagator acceptor pattern again. So, again two providers, over into the second account and accept the peering propagation .. but no, my second provider failes, that it cannot assume the role, and this is where my problems begin. I forgot to allow my IAM role to assume the other accounts accepter role. No problem, attach more resource arns in the policy and another pulumi up and it fails again, as my addition to the roles policy isn't finished when the provider gets created.
peeringProvider, err := aws.NewProvider(ctx, fmt.Sprintf("peeringProvider-%s", peer.Name), &aws.ProviderArgs{    
      AssumeRole: &aws.ProviderAssumeRoleArgs{                                                                                                            
        RoleArn:     pulumi.String(fmt.Sprintf("arn:aws:iam::%s:role/%s", peer.AccountID, peer.RouteTables["peeringAccepterRole"])),    
        SessionName: pulumi.String("peeringAccepterSession"),                                                                                                            
      Region: pulumi.String(region.Name),                                                                                                            
    }, pulumi.Provider(provider), pulumi.DependsOn([]pulumi.Resource{provider, role}),                                                                                                            
    if err != nil {                                                                                                            
      return err                                                                                                            
Even with the pulumi.DependsOn() containing my role reference, this does not align this provider with the changes on the role. Any hints on how to fix this ordering?
Ok, just a minor issue with this snippet. the role dependency isn't with this provider but with the one this is being created with
. But that provider has a direct reference as I inject the Role as
RoleArn: role.Arn
and thus the direct reference is there.
But the change in itself is happening within the policy of the role, so not the role is changing but the policy, this is a dependency one layer deeper.